Single Sign-on Validation and Pubcookie.


41 views
Uploaded on:
Category: Art / Culture
Description
COMP 529 - Advanced Computer Networks. What is Single Sign-on? Lets clients confirm ... data sent to a TPM from a Privacy Certification Authority (CA) ...
Transcripts
Slide 1

Single Sign-on Authentication and Pubcookie By Archie E. Huerto CSUN – COMP 529 COMP 529 - Advanced Computer Networks

Slide 2

Roadmap Taxonomy of SSO Systems Using SSO on Trusted Platforms Structured Assertion Markup Language Pubcookie COMP 529 - Advanced Computer Networks

Slide 3

Password Explosion Multiple passwords to get to various frameworks debilitates security Users will tend to pick simple to recall and accordingly simple to figure passwords They may record passwords in evident spots COMP 529 - Advanced Computer Networks

Slide 4

What is Single Sign-on? Gives clients a chance to verify themselves once and access distinctive applications without re-verification Increases the ease of use of the system Centralizes the administration of significant framework parameters Two fundamental sort of SSO Systems: Pseudo-SSO and True-SSO COMP 529 - Advanced Computer Networks

Slide 5

Pseudo-SSO Primary Authentication - A client is validated through the pseudo-SSO part Secondary Authentication - A different confirmation happens each time the client signed into an administration supplier The pseudo-SSO segment oversees administration supplier particular accreditations, which constitute the SSO personalities. COMP 529 - Advanced Computer Networks

Slide 6

Pseudo-SSO COMP 529 - Advanced Computer Networks

Slide 7

True SSO A client is verified through an Authentication Service Provider (ASP) The ASP needs a built up association with all SPs to which SSO is to be set up The confirmation procedure that includes the client happens between the client and ASP Service suppliers are informed by means of verification statements which contains the client\'s SSO personality and the validation status with the ASP COMP 529 - Advanced Computer Networks

Slide 8

True SSO COMP 529 - Advanced Computer Networks

Slide 9

Generic SSO System COMP 529 - Advanced Computer Networks

Slide 10

Categories of SSO Systems SSO models can be further ordered in view of the area of the ASP/pseudo-SSO segment It can be nearby to the client stage or offered as an administration by an outer substance (SSO intermediary) Four Main Categories of SSO Systems Local Pseudo-SSO Proxy-Based Pseudo-SSO Local True SSO Proxy-Based True SSO COMP 529 - Advanced Computer Networks

Slide 11

Examples of True SSO Kerberos A system verification convention intended to give solid verification to customer/server applications by utilizing mystery key cryptography A Kerberos server is involved a validation server and a ticket conceding server which goes about as the ASP Every client and SP offers a long haul mystery key with the ASP COMP 529 - Advanced Computer Networks

Slide 12

Examples of True SSO Granting Kerberos Tickets Client  ASP: c ASP  Client: {K s 1 }K c , {T gt }K s 1 Client  ASP: {A c }K s 1 , {T gt }K s 1 , SP ID ASP  Client: {K s 2 }K s 1 , {T sg }K s Client  SP: {A c }K s 2 , {T sg }K s COMP 529 - Advanced Computer Networks

Slide 13

Examples of True SSO Microsoft .Net Passport An electronic SSO administration offered by Microsoft since 1999 and is one of the broadly conveyed administrations of its kind. Travel permit records can store address, date of birth, and Visa subtle elements An interesting 64-bit numeric identifier called "International ID User ID" (PUID) is doled out to client amid record creation Users can enlist at the Passport landing page ( www.passport.com ), Windows XP enrollment wizard, or any taking part destinations COMP 529 - Advanced Computer Networks

Slide 14

Examples of True SSO COMP 529 - Advanced Computer Networks

Slide 15

Examples of True SSO The Liberty Alliance An arrangement of open particulars for electronic SSO created by a consortium of more than 140 organizations Based on "trust hovers" framed by trusted ASPs and depending SPs Uses the Security Assertions Markup Language (SAML) COMP 529 - Advanced Computer Networks

Slide 16

Roadmap Taxonomy of SSO Systems Using SSO on Trusted Platforms Structured Assertion Markup Language Pubcookie COMP 529 - Advanced Computer Networks

Slide 17

Trusted Platforms The Trusted Computing Group (TCG) is a not-revenue driven industry-standard association with the accompanying objective: "Through the joint effort of stage, programming, and innovation sellers build up a detail that conveys an upgraded HW and OS based trusted figuring stage that improves client\'s spaces." TCG was shaped in Spring 2003 and has embraced the determinations created by the Trusted Computing Platform Alliance (TCPA) COMP 529 - Advanced Computer Networks

Slide 18

What is TCG Technology Trusted Platform (TP) – a processing stage that adjusts to the TCG determinations Trusted Platform Module (TPM) – a crypto co-processor with extraordinary usefulness that each TP has TPM is connected to the stage and can\'t be evacuated Information put away in the TPM is impervious to any immediate programming assault, as the data must be gotten to through very much characterized orders known as "TPM abilities" COMP 529 - Advanced Computer Networks

Slide 19

TPM Identity Endorsement Key A novel RSA key match that each TPM has engraved in it The private key (EKpr) never leaves the TPM people in general key (EKpu) must be recovered from the TPM under specific conditions The EK is utilized to decode data sent to a TPM from a Privacy Certification Authority (CA) COMP 529 - Advanced Computer Networks

Slide 20

Attestation The way toward vouching for the exactness of data Attestation Identity Key (AIK) An exceptional reason deviated signature key made by the TPM from its EK and utilized for mark era and confirmation Every TP can have more than one AIK The private segment of the AIK is non-migratable and ensured by the TPM the general population segment of the AIK is a piece of the AIK Credential, issued by a Privacy CA Allows a client to imply to outsiders that he/she is utilizing a bona fide TP without uncovering its personality COMP 529 - Advanced Computer Networks

Slide 21

AIK Certification Process TP  Privacy CA: AIKpu, EKpu The trusted stage makes a new AIK, sends the general population key of another AIK and its open EK to a guaranteeing power Privacy CA  TP: {AIK Credential(AIKpu)}EKpub The affirming power subsequent to accepting it makes a declaration for the general population bit of the AIK, scrambles it with the general population support scratch, and send it back to the TP  Privacy CA: AIK Credential(AIKpu) The TP then unscramble the new AIK qualification and demonstrates to the ensuring power that it could do as such in light of the fact that it has the private EK COMP 529 - Advanced Computer Networks

Slide 22

Integrity Measurement (Metrics) The way toward acquiring measurements of stage attributes that influence the respectability (reliability) of a stage Platform Configuration Registers (PCRs) – a protected area where the measurements and its condensations are put away Measured Values – a representation of installed information or project code Measurement Digest – SHA-1 cryptographic hash of estimation qualities PCR[n]  SHA-1(PCR[n] + measured qualities) COMP 529 - Advanced Computer Networks

Slide 23

Integrity Challenge/Response Integrity Challenged – issued by outsider to survey the product condition of a TP, incorporates a nonce to secure for replay Integrity Response Current PCR values Digital mark over the PCR values and the nonce utilizing one of the AIK Credential for the AIK used to deliver the mark COMP 529 - Advanced Computer Networks

Slide 24

Using Trusted Platforms for SSO User verification can be designated to the client\'s TP and did by an Authentication Service (AS) inside that TP AIK Credentials are remarkable in light of the fact that they convey a one of a kind serial number relegated by the issuing Privacy CA (e.g [Privacy CA, Serial Number]) SPs can utilize AIK Credentials as SSO Identities for clients COMP 529 - Advanced Computer Networks

Slide 25

SSO Entities User System SSO Identities should be created and actuated for every client of a given TP For TPs with various clients, the AS ought to permit TPM proprietors to make an arrangement of unmistakable SSO Identities for every client of the stage AS will be firmly coordinated into the TP\'s working framework or part of the OS login component SPs can asses the trustworthiness of the AS in the client\'s framework since it is measured in the TPM\'s PCR COMP 529 - Advanced Computer Networks

Slide 26

SSO Entities Service Providers Need to check the AS utilizing an Integrity Challenge/Response session which additionally gives client ID Must have an outstanding, intelligible one of a kind identifier (e.g. URI) for clients to verify SPs before discharging Integrity Response COMP 529 - Advanced Computer Networks

Slide 27

Trust Relationship End clients needs to believe the Privacy CA guaranteed their AIK Credentials that compares to SSO Identities SP requirements to believe the Privacy CA picked by the client to affirm the AIK Credentials of their SSO Identities SP necessities to believe the AS introduced on the client TP and any product executed before the AS Trusting the Privacy CA implies trusting TP and TPM makers vouched for by the Privacy CA COMP 529 - Advanced Computer Networks

Slide 28

Roadmap Taxonomy of SSO Systems Using SSO on Trusted Platforms Structured Assertion Markup Language Pubcookie COMP 529 - Advanced Computer Networks

Slide 29

What is SAML? The Security Assertion Markup Language is a XML-based structure fro imparting client validation, privilege, and trait data It is produced by the Security Services Technical Committee (SSTC) of the Organization for the Advancement of Structured Information Standards (OASIS) SAML V1.0 got to be OASIS standard in November 2002, SAML V1.1 followed in September 2003, and SAML V2.0 in March 2005 COMP 529 - Advanced Computer Networks

Slide 30

SAML Parties Identity Provider (IdP) – The framework that states data around a subject, otherwise called SAML autho

Recommended
View more...